Android apk快速定位、灰色按钮克星--DroidSword
本文博客地址:https://blog.csdn.net/QQ1084283172/article/details/80994434
在进行Android应用程序的逆向分析时,经常需要对Android应用程序的按钮事件、Activity界面等类的代码进行定位分析,传统的代码定位方法就是进行按钮或者Activity界面等显示的 字符串信息 进行全局的搜索,然后找他们的id或者类进行代码的定位,比较繁琐,这里介绍一个基于Xposed Hook实现的Android apk快速定位,灰色按钮克星工具DroidSword,当然了亦可以使用我前面的博客中提到的《Xposed框架Hook Android应用的所有类方法打印Log日志》和《查找和定位Android应用的按钮点击事件的代码位置基于Xposed Hook实现》进行Android应用程序的需要分析的代码的定位。
DroidSword工具的功能介绍:
1.快速定位Activity,以及点击View的信息
2.点击悬浮窗口获取Fragment
3.灰色按钮克星
4.文字修改神器
DroidSword工具的github地址:https://github.com/githubwing/DroidSword
DroidSword工具作者的学习博客:http://androidwing.net
DroidSword工具是基于Xposed Hook实现的,但是作者githubwing是使用Kotlin语言实现的,对于Kotlin语言不熟悉,但是对于DroidSword工具的实现思路还是能看明白,下面简要的分析一下。
1.类IHooker是作者编写的xposed hook的接口类,代码如下:
2.类net.androidwing.droidsword.Init是DroidSword工具xposed hook的入口类:
3.类ViewClickedHooker主要用于实现Hook类android.view.View的方法onTouchEvent,获取到View类的名称和View类的id以及View的事件监听类对象的类名称;Hook类android.view.View的方法dispatchTouchEvent,获取到的View类的名称、View类的id、View的事件监听类对象的类名称并在设备的界面上显示出来。
源码文件路径:/frameworks/base/core/java/android/view/View.java
一般View组件情况下,Hook类android.view.View的类方法onTouchEvent函数,View组件通过获取实例对象View中的成员变量mListenerInfo->mOnClickListener所属的类名称,得到响应View按钮单击事件的监听响应类OnClickListener的信息。
/**
* Implement this method to handle touch screen motion events.
* <p>
* If this method is used to detect click actions, it is recommended that
* the actions be performed by implementing and calling
* {@link #performClick()}. This will ensure consistent system behavior,
* including:
* <ul>
* <li>obeying click sound preferences
* <li>dispatching OnClickListener calls
* <li>handling {@link AccessibilityNodeInfo#ACTION_CLICK ACTION_CLICK} when
* accessibility features are enabled
* </ul>
*
* @param event The motion event.
* @return True if the event was handled, false otherwise.
*/
public boolean onTouchEvent(MotionEvent event) {
final int viewFlags = mViewFlags;
if ((viewFlags & ENABLED_MASK) == DISABLED) {
if (event.getAction() == MotionEvent.ACTION_UP && (mPrivateFlags & PFLAG_PRESSED) != 0) {
setPressed(false);
}
// A disabled view that is clickable still consumes the touch
// events, it just doesn't respond to them.
return (((viewFlags & CLICKABLE) == CLICKABLE ||
(viewFlags & LONG_CLICKABLE) == LONG_CLICKABLE));
}
if (mTouchDelegate != null) {
if (mTouchDelegate.onTouchEvent(event)) {
return true;
}
}
if (((viewFlags & CLICKABLE) == CLICKABLE ||
(viewFlags & LONG_CLICKABLE) == LONG_CLICKABLE)) {
switch (event.getAction()) {
case MotionEvent.ACTION_UP:
boolean prepressed = (mPrivateFlags & PFLAG_PREPRESSED) != 0;
if ((mPrivateFlags & PFLAG_PRESSED) != 0 || prepressed) {
// take focus if we don't have it already and we should in
// touch mode.
boolean focusTaken = false;
if (isFocusable() && isFocusableInTouchMode() && !isFocused()) {
focusTaken = requestFocus();
}
if (prepressed) {
// The button is being released before we actually
// showed it as pressed. Make it show the pressed
// state now (before scheduling the click) to ensure
// the user sees it.
setPressed(true);
}
if (!mHasPerformedLongPress) {
// This is a tap, so remove the longpress check
removeLongPressCallback();
// Only perform take click actions if we were in the pressed state
if (!focusTaken) {
// Use a Runnable and post this rather than calling
// performClick directly. This lets other visual state
// of the view update before click actions start.
if (mPerformClick == null) {
mPerformClick = new PerformClick();
}
if (!post(mPerformClick)) {
performClick();
}
}
}
if (mUnsetPressedState == null) {
mUnsetPressedState = new UnsetPressedState();
}
if (prepressed) {
postDelayed(mUnsetPressedState,
ViewConfiguration.getPressedStateDuration());
} else if (!post(mUnsetPressedState)) {
// If the post failed, unpress right now
mUnsetPressedState.run();
}
removeTapCallback();
}
break;
case MotionEvent.ACTION_DOWN:
mHasPerformedLongPress = false;
if (performButtonActionOnTouchDown(event)) {
break;
}
// Walk up the hierarchy to determine if we're inside a scrolling container.
boolean isInScrollingContainer = isInScrollingContainer();
// For views inside a scrolling container, delay the pressed feedback for
// a short period in case this is a scroll.
if (isInScrollingContainer) {
mPrivateFlags |= PFLAG_PREPRESSED;
if (mPendingCheckForTap == null) {
mPendingCheckForTap = new CheckForTap();
}
postDelayed(mPendingCheckForTap, ViewConfiguration.getTapTimeout());
} else {
// Not inside a scrolling container, so show the feedback right away
setPressed(true);
checkForLongClick(0);
}
break;
case MotionEvent.ACTION_CANCEL:
setPressed(false);
removeTapCallback();
removeLongPressCallback();
break;
case MotionEvent.ACTION_MOVE:
final int x = (int) event.getX();
final int y = (int) event.getY();
// Be lenient about moving outside of buttons
if (!pointInView(x, y, mTouchSlop)) {
// Outside button
removeTapCallback();
if ((mPrivateFlags & PFLAG_PRESSED) != 0) {
// Remove any future long press/tap checks
removeLongPressCallback();
setPressed(false);
}
}
break;
}
return true;
}
return false;
}对于AdapterView类型的View组件,通过Hook类android.view.View的方法dispatchTouchEvent,AdapterView组件获取实例对象View中的成员变量mOnItemClickListener的类(事件响应类)的类名称,得到监听和响应用户单击事件的处理类OnItemClickListener的信息。
/**
* Pass the touch screen motion event down to the target view, or this
* view if it is the target.
*
* @param event The motion event to be dispatched.
* @return True if the event was handled by the view, false otherwise.
*/
public boolean dispatchTouchEvent(MotionEvent event) {
if (mInputEventConsistencyVerifier != null) {
mInputEventConsistencyVerifier.onTouchEvent(event, 0);
}
if (onFilterTouchEventForSecurity(event)) {
//noinspection SimplifiableIfStatement
ListenerInfo li = mListenerInfo;
if (li != null && li.mOnTouchListener != null && (mViewFlags & ENABLED_MASK) == ENABLED
&& li.mOnTouchListener.onTouch(this, event)) {
return true;
}
if (onTouchEvent(event)) {
return true;
}
}
if (mInputEventConsistencyVerifier != null) {
mInputEventConsistencyVerifier.onUnhandledEvent(event, 0);
}
return false;
}4.类ActivityHooker主要用于实现Hook类android.app.Activity的方法onResume,获取类方法onResume所属类Activity的实例对象的类名称并显示出来。
/**
* Called after {@link #onRestoreInstanceState}, {@link #onRestart}, or
* {@link #onPause}, for your activity to start interacting with the user.
* This is a good place to begin animations, open exclusive-access devices
* (such as the camera), etc.
*
* <p>Keep in mind that onResume is not the best indicator that your activity
* is visible to the user; a system window such as the keyguard may be in
* front. Use {@link #onWindowFocusChanged} to know for certain that your
* activity is visible to the user (for example, to resume a game).
*
* <p><em>Derived classes must call through to the super class's
* implementation of this method. If they do not, an exception will be
* thrown.</em></p>
*
* @see #onRestoreInstanceState
* @see #onRestart
* @see #onPostResume
* @see #onPause
*/
protected void onResume() {
if (DEBUG_LIFECYCLE) Slog.v(TAG, "onResume " + this);
getApplication().dispatchActivityResumed(this);
mCalled = true;
}5.类FragmentHooker用于实现Hook类"android.support.v4.app.Fragment"的方法onResume和方法setUserVisibleHint,获取类Fragment的类名称并进行显示。
源码文件路径:/frameworks/support/v4/java/android/support/v4/app/Fragment.java
/**
* Called when the fragment is visible to the user and actively running.
* This is generally
* tied to {@link Activity#onResume() Activity.onResume} of the containing
* Activity's lifecycle.
*/
public void onResume() {
mCalled = true;
}
/**
* Set a hint to the system about whether this fragment's UI is currently visible
* to the user. This hint defaults to true and is persistent across fragment instance
* state save and restore.
*
* <p>An app may set this to false to indicate that the fragment's UI is
* scrolled out of visibility or is otherwise not directly visible to the user.
* This may be used by the system to prioritize operations such as fragment lifecycle updates
* or loader ordering behavior.</p>
*
* @param isVisibleToUser true if this fragment's UI is currently visible to the user (default),
* false if it is not.
*/
public void setUserVisibleHint(boolean isVisibleToUser) {
if (!mUserVisibleHint && isVisibleToUser && mState < STARTED) {
mFragmentManager.performPendingDeferredStart(this);
}
mUserVisibleHint = isVisibleToUser;
mDeferStart = !isVisibleToUser;
}有作者gtict112将DroidSword工具的功能用java代码进行了实现并添加了新的功能构建成工程xposedhook,xposedhook工程的github地址:https://github.com/gtict112/xposedhook,后面有时间我再看下将这部分代码集成到我自己的Xposed模块中。
DroidSword工具的类ViewClickedHooker的代码:
package net.androidwing.droidsword.hooker
import android.app.AlertDialog
import android.app.AndroidAppHelper
import android.app.Dialog
import android.content.DialogInterface
import android.view.MotionEvent
import android.view.View
import android.widget.*
import de.robv.android.xposed.XC_MethodHook
import de.robv.android.xposed.XposedHelpers
import de.robv.android.xposed.callbacks.XC_LoadPackage
import net.androidwing.droidsword.func.TextViewChanger
import net.androidwing.droidsword.func.ViewEnabler
import net.androidwing.droidsword.utils.LogUtils
/**
* Created on 28/10/2017.
*/
class ViewClickedHooker : IHooker {
override fun hook(lp: XC_LoadPackage.LoadPackageParam) {
// Hook类android.view.View的方法onTouchEvent
// public boolean onTouchEvent(MotionEvent event)
XposedHelpers.findAndHookMethod(View::class.java,
"onTouchEvent",
MotionEvent::class.java, object : XC_MethodHook() {
override fun afterHookedMethod(param: MethodHookParam?) {
super.afterHookedMethod(param)
// 获取类方法onTouchEvent所在的实例对象View
val view = param?.thisObject as View
// 获取类方法onTouchEvent的传入参数MotionEvent实例对象
val event = param.args!![0] as MotionEvent
// 对用户点击屏幕的事件进行判断
if (event.action == MotionEvent.ACTION_UP) {
// 获取实例对象View中的成员变量mListenerInfo->mOnClickListener所属的类名称
val listener = XposedHelpers.getObjectField(
XposedHelpers.getObjectField(view, "mListenerInfo"),
"mOnClickListener").javaClass.name
// 显示获取到的View类的名称、View类的id、View的事件监听类对象的类名称
ActivityHooker.setActionInfoToMenu("",
"${view.javaClass.name} ${view.id} \nListener: $listener")
antiDisable(view)
}
}
})
// Hook类android.view.View的方法dispatchTouchEvent
// public boolean dispatchTouchEvent(MotionEvent event)
XposedHelpers.findAndHookMethod(View::class.java,
"dispatchTouchEvent",
MotionEvent::class.java, object : XC_MethodHook() {
override fun afterHookedMethod(param: MethodHookParam?) {
super.afterHookedMethod(param)
// 获取类方法dispatchTouchEvent所在类View的实例
val view = param?.thisObject as View
// 获取类方法onTouchEvent的传入参数MotionEvent实例对象
val event = param.args!![0] as MotionEvent
// 进行用户点击屏幕的事件类型的判断
if (event.action == MotionEvent.ACTION_DOWN) {
// 进行View类型的判断(AdapterView)
if (view is AdapterView<*>) {
// 获取实例对象View中的成员变量mOnItemClickListener的类(事件响应类)的类名称
val listener = XposedHelpers.getObjectField(view,"mOnItemClickListener").javaClass.name
// 显示获取到的View类的名称、View类的id、View的事件监听类对象的类名称
ActivityHooker.setActionInfoToMenu("",
"${view.javaClass.name} ${view.id} \nListener: $listener")
}
}
}
})
// 文字修改功能的实现
XposedHelpers.findAndHookMethod(View::class.java,
"onTouchEvent",
MotionEvent::class.java, object : XC_MethodHook() {
override fun afterHookedMethod(param: MethodHookParam?) {
super.afterHookedMethod(param)
val targetView = param?.thisObject as View
if (true) {
// ??
showChangeTextDialog(targetView, param)
}
}
})
}
private fun antiDisable(view: View) {
//TODO 默认开启待添加配置文件
if (false) {
ViewEnabler.antiDisable(view)
}
}
/**
* 文本修改神器功能
*/
private fun showChangeTextDialog(targetView: View,
param: XC_MethodHook.MethodHookParam) {
//TODO 默认开启待添加配置文件
val event = param.args!![0] as MotionEvent
if (false) {
TextViewChanger.showChangeDialog(targetView, event)
}
}DroidSword工具的类ActivityHooker的代码:
package net.androidwing.droidsword.hooker
import android.app.Activity
import android.app.AndroidAppHelper
import android.app.Fragment
import android.content.Context
import android.graphics.Color
import android.os.Build
import android.os.Bundle
import android.support.v7.widget.AppCompatImageHelper
import android.text.TextUtils
import android.view.LayoutInflater
import android.view.ViewGroup
import android.widget.FrameLayout
import android.widget.TextView
import android.widget.Toast
import de.robv.android.xposed.XC_MethodHook
import de.robv.android.xposed.XposedHelpers
import de.robv.android.xposed.callbacks.XC_LoadPackage
import net.androidwing.droidsword.utils.LogUtils
import java.util.ArrayList
/**
* Created on 30/10/2017.
*/
class ActivityHooker : IHooker {
// /frameworks/base/core/java/android/app/Activity.java
override fun hook(lp: XC_LoadPackage.LoadPackageParam) {
// Hook类android.app.Activity的方法onResume
// protected void onResume()
XposedHelpers.findAndHookMethod(Activity::class.java, "onResume", object : XC_MethodHook() {
override fun afterHookedMethod(param: MethodHookParam?) {
super.afterHookedMethod(param)
// 获取类方法onResume所属类Activity的实例对象
val activity = param?.thisObject as Activity
// 显示类对象实例Activity的类名称
addTextView(activity)
// Hook类Fragment的类方法,获取类Fragment实例对象的类名称
FragmentHooker().hookFragment(param)
}
})
}
// 显示类对象实例Activity的类名称
private fun addTextView(activity: Activity) {
// 获取类对象实例Activity的类名称
val className = activity.javaClass.name.toString()
// 构建TextView实例对象
if (sTextView == null) {
genTextView(activity)
}
if (sTextView?.parent != null) {
val parent = sTextView?.parent
if (parent is ViewGroup) {
parent.removeView(sTextView)
}
}
(activity.window.decorView as FrameLayout).addView(sTextView)
// 显示类对象实例Activity的类名称
setActionInfoToMenu(className, "")
sTextView?.bringToFront()
}
// 创建TextView的实例对象
private fun genTextView(activity: Activity) {
sTextView = TextView(activity)
with(sTextView!!) {
textSize = 8f
y = 48 * 2f
setBackgroundColor(Color.parseColor("#cc888888"))
setTextColor(Color.WHITE)
layoutParams = FrameLayout.LayoutParams(FrameLayout.LayoutParams.MATCH_PARENT,
FrameLayout.LayoutParams.WRAP_CONTENT)
}
}
companion object {
var sTextView: TextView? = null
private var sActivityName = ""
private var sViewName = ""
fun setActionInfoToMenu(activityName: String, viewName: String) {
sTextView?.text = getActionInfo(activityName, viewName)
}
public var sFragmentName = ""
private fun getActionInfo(activityName: String, viewName: String): CharSequence? {
if (activityName.isEmpty().not()) {
sActivityName = activityName
}
if (viewName.isEmpty().not()) {
sViewName = viewName
}
val pid = android.os.Process.myPid()
return "Activity: $sActivityName \nPid: $pid \nClick: $sViewName \nFragment:$sFragmentName"
}
}DroidSword工具的类FragmentHooker的代码:
package net.androidwing.droidsword.hooker
import de.robv.android.xposed.XC_MethodHook
import de.robv.android.xposed.XposedHelpers
import de.robv.android.xposed.callbacks.XC_LoadPackage
import net.androidwing.droidsword.utils.LogUtils
/**
* Created on 30/10/2017.
*/
class FragmentHooker : IHooker {
override fun hook(lp: XC_LoadPackage.LoadPackageParam) {
}
// /frameworks/support/v4/java/android/support/v4/app/Fragment.java
fun hookFragment(param: XC_MethodHook.MethodHookParam?) {
// Hook类"android.support.v4.app.Fragment"的方法onResume
// public void onResume()
XposedHelpers.findAndHookMethod(
param?.thisObject?.javaClass?.classLoader?.loadClass("android.support.v4.app.Fragment"),
"onResume",
object : XC_MethodHook() {
override fun afterHookedMethod(param: MethodHookParam?) {
super.afterHookedMethod(param)
// 获取类Fragment的类名称
ActivityHooker.sFragmentName = (param?.thisObject?.javaClass?.name!!)
// 进行类Fragment的类名称显示的设置
ActivityHooker.setActionInfoToMenu("","")
}
override fun beforeHookedMethod(param: MethodHookParam?) {
super.beforeHookedMethod(param)
}
})
// Hook类"android.support.v4.app.Fragment"的方法setUserVisibleHint
// public void setUserVisibleHint(boolean isVisibleToUser)
XposedHelpers.findAndHookMethod(
param?.thisObject?.javaClass?.classLoader?.loadClass("android.support.v4.app.Fragment"),
"setUserVisibleHint", Boolean::class.java,
object : XC_MethodHook() {
override fun afterHookedMethod(param: MethodHookParam?) {
super.afterHookedMethod(param)
if (param?.args!![0] == true) {
LogUtils.e("fragment showing:")
LogUtils.e("fragment ${param?.thisObject?.javaClass?.name}")
// 获取类Fragment的类名称
ActivityHooker.sFragmentName = (param?.thisObject?.javaClass?.name!!)
// 进行类Fragment的类名称显示的设置
ActivityHooker.setActionInfoToMenu("","")
}
}
override fun beforeHookedMethod(param: MethodHookParam?) {
super.beforeHookedMethod(param)
}
})
}
}Android apk快速定位、灰色按钮克星--DroidSword的更多相关文章
- CLRInjection - 通用托管注入(超级灰色按钮克星升级版)
通用托管注入 - CLRInjection CLR软件系列第二发: 通用托管注入 - CLRInjection 软件简介:这款软件可以将任意托管DLL用插件的形式,注入到正在运行中的.net托管程序集 ...
- [Android Studio] Android Studio快速定位当前打开的文件在哪个目录(package)下
转载自:http://blog.csdn.net/hyr83960944/article/details/38067499 在Eclipse中有一个很好的功能,就是比如我打开一个AActivity,左 ...
- [Android Studio] Android Studio快速定位当前打开的文件在哪个目录(package)下
转载自:http://blog.csdn.net/hyr83960944/article/details/38067499 在Eclipse中有一个很好的功能,就是比如我打开一个AActivity,左 ...
- Android ListView快速定位(三)
方法三: android:fastScrollEnabled="true" 这个很简单,只要把属性设置了,就可以起作用了 不过这个滑块比较丑,当然网上也有自定义图片的例子. 参考 ...
- Android ListView快速定位(二)
方法二:android:textFilterEnabled="true" + Filter 这个属性在android.widget.AbsListView下,要求adapter必须 ...
- Android ListView快速定位(四)
方法四: 添加一个EditText,作为搜索框 + Filter 其实这个不算第四个方法,因为与第二个一样,主要是实现Filter. 但是对于EditText的监听,我以前也没有写过,所以也记录一下. ...
- Android ListView快速定位(一)
方法一: SectionIndexer接口 + 索引列表 参考:http://www.apkbus.com/android-69999-1-1.html 所谓section 就是一组有共性的item, ...
- 快速定位 Android APP 当前页面的三种方法(Activity / Fragment)
方法一.通过adb命令打印当前页面: Android 如何快速定位当前页面是哪个Activity or Fragment (1)查看当前Activity :adb shell "dumpsy ...
- Android GIS开发系列-- 入门季(10) MapView快速定位到Geometry
我们知道某个Geometry的坐标,但不知道具体的位置,该如何使地图快速定位呢?这时需要用到MapView.setExtent方法,来看下这个方法的介绍:Zooms the map to the gi ...
随机推荐
- golang——net/rpc/jsonrpc包学习
1.jsonrpc包 该实现了JSON-RPC的ClientCodec和ServerCodec接口,可用于rpc包. 可用于跨语言使用go rpc服务. 2.常用方法 (1)func Dial(net ...
- 分布式基础理论之CAP 和BASE
前言 本文聊聊 CAP 定理和 BASE 理论. CAP 定理 C:一致性(Consistency) 数据的强一致性.希望分布式系统只读到最新写入的数据 A:可用性(Availability) 分布式 ...
- 浅谈Dotnet的数据定位和匹配
Dotnet里,数据定位和匹配的相关编程现在变得很舒服. 最近项目紧,还要不停出差. 所以,写个短点的.最近经常用到的内容:数据定位和匹配. 数据定位 假设我们有这样一个数组: var arr ...
- 02-Spring配置文件加载
获取IOC容器 加载.解析xml文件,形成GenericBeanDefinition,供后续实例化剩下的所有 Bean 使用. obtainFreshBeanFactory() 获取IOC容器 pro ...
- 【codeforces - 1307G】Cow and Exercise
目录 description solution accepted code details description 给定 n 点 m 边简单有向图,有边权. q 次询问,每次给出 xi.可以增加某些边 ...
- HTML5中window.postMessage,在两个页面之间的数据传递
HTML5中window.postMessage,在两个页面之间的数据传递 2015年11月3日 8536次浏览 关于postMessage window.postMessage虽然说是html5的功 ...
- 使用jQuery实现ajax请求
<%-- Created by IntelliJ IDEA. User: Administrator Date: 2021/3/13 Time: 14:54 To change this tem ...
- FIL怎么获得?FIL在哪里购买?
从一些交易网站可以看到,FIL 这几天有一个比较大的涨幅,这让许多投资 FIL 的朋友大松一口气:FIL,你终于不装睡了.估计许多关注区块链的小伙伴看到消息又要问了:FIL 怎么获得?FIL 在哪里购 ...
- C#上机实验(三)
源码如下: using System; using System.Collections.Generic; using System.Linq; using System.Text; namespac ...
- (四)SpringBoot启动过程的分析-预处理ApplicationContext
-- 以下内容均基于2.1.8.RELEASE版本 紧接着上一篇(三)SpringBoot启动过程的分析-创建应用程序上下文,本文将分析上下文创建完毕之后的下一步操作:预处理上下文容器. 预处理上下文 ...